openstack/security-doc
Code Issues Proposed changes
Files
f7df1f4041041cea06afd0cf811ccee6cc29b76c
security-doc/security-notes/OSSN-0064
Robert Clark be2508f3c2 Adding OSSN-0064 
This OSSN addresses an issue with OpenStack Keystone
https://bugs.launchpad.net/ossn/+bug/1545789

Change-Id: I82de823c45bfbec3bbea7d1bebf4d530966507ff
2016-04-26 13:45:01 -05:00

73 lines
2.8 KiB
Plaintext
Raw Blame History

Keystone admin_token_auth use by default causes insecure operation
---
### Summary ###
A Keystone setting intended for use only during initial installation is
often left configured in its default value by OpenStack deployers.
An attacker could gain administrative access to the Keystone API by
providing the string "ADMIN" as a token.
### Affected Services / Software ###
Keystone, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo, Liberty, Mitaka
### Discussion ###
The Keystone service supports an authentication middleware called
"admin_token_auth". This provides a simple token for accessing the
Keystone API and is intended to be used only for the initial setup of
Keystone, allowing the deployer access to the Keystone API which can be
used to setup appropriate Keystone administrator accounts.
The "admin_token_auth" method is configured through the
keystone-paste.ini file. The token for the "ADMIN_TOKEN" that this
method validates against is set in the keystone.conf file.
Some deployments copy these files from the example versions and use them
unchanged. This means that some production OpenStack clouds may have
"admin_token_auth" enabled and "ADMIN_TOKEN" set to the default value
of "ADMIN".
It is likely that OpenStack deployments using the default Keystone
configuration files are vulnerable to exploitation by an attacker who accesses
the API using a token of "ADMIN".
### Recommended Actions ###
Use of "ADMIN_TOKEN" for bootstrapping Keystone deployments is
deprecated and will be removed in a future release. Deployers are
encouraged to bootstrap Keystone using the 'bootstrap' feature of the
keystone-manage CLI tool:
$ keystone-manage bootstrap --bootstrap-password s3cr3t
Existing deployments should remove the "admin_token_auth" middleware
from the API pipelines in keystone-paste.ini.
---- begin bad keystone-paste.ini snippet ----
[pipeline:public_api]
pipeline = [...] token_auth admin_token_auth json_body [...]
[pipeline:admin_api]
pipeline = [...] token_auth admin_token_auth json_body [...]
[pipeline:api_v3]
pipeline = [...] token_auth admin_token_auth json_body [...]
---- end bad keystone-paste.ini snippet ----
---- begin good keystone-paste.ini snippet ----
[pipeline:public_api]
pipeline = [...] token_auth json_body [...]
[pipeline:admin_api]
pipeline = [...] token_auth json_body [...]
[pipeline:api_v3]
pipeline = [...] token_auth json_body [...]
---- end good keystone-paste.ini snippet ----
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0064
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1545789
Mailing list [Security] tag on : openstack-dev@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Keystone Change : https://review.openstack.org/#/c/282104/1/releasenotes/notes/admin_token-c634ec12fc714255.yaml
View Git Blame Copy Permalink